diff --git a/charts/incubator/meshcentral/Chart.yaml b/charts/incubator/meshcentral/Chart.yaml index 7b8607902d4..0423f47c166 100644 --- a/charts/incubator/meshcentral/Chart.yaml +++ b/charts/incubator/meshcentral/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 kubeVersion: ">=1.16.0-0" name: meshcentral appVersion: "1.0.90" -version: 5.0.9 +version: 5.0.10 description: MeshCentral is a full computer management web site type: application deprecated: false @@ -18,11 +18,11 @@ sources: dependencies: - name: common repository: https://library-charts.truecharts.org - version: 10.7.7 + version: 10.7.8 - condition: mongodb.enabled name: mongodb repository: https://charts.truecharts.org/ - version: 2.0.40 + version: 2.0.42 maintainers: - email: info@truecharts.org name: TrueCharts diff --git a/charts/incubator/meshcentral/questions.yaml b/charts/incubator/meshcentral/questions.yaml index 0d65b78458c..c0d8dd85c89 100644 --- a/charts/incubator/meshcentral/questions.yaml +++ b/charts/incubator/meshcentral/questions.yaml @@ -83,6 +83,12 @@ questions: schema: type: boolean default: true + - variable: agentWsCompression + label: agentWsCompression + description: Enables agent-side, websocket per-message deflate compression. wscompression must also be true for this to work. + schema: + type: boolean + default: true - variable: allowFraming label: allowFraming description: When enabled, the MeshCentral web site can be embedded within another website's iframe. @@ -101,6 +107,18 @@ questions: schema: type: boolean default: true + - variable: agentLogDump + label: agentLogDump + description: Automatically downloads all agent error logs into meshcentral-data/agenterrorlogs.txt. + schema: + type: boolean + default: false + - variable: agentCoreDump + label: agentCoreDump + description: Automatically activates and transfers any agent crash dump files to the server in meshcentral-data/coredumps. + schema: + type: boolean + default: false - variable: browserPing label: browserPing description: When specified, sends data to the browser at x seconds interval and expects a response from the browser. @@ -131,17 +149,66 @@ questions: schema: type: int default: -99 - - variable: plugins - label: Section + - variable: maxInvalidLogin + label: Section schema: additional_attrs: true type: dict attrs: - - variable: enabled - label: enabled + - variable: time + label: time + description: Time in minutes over which the a maximum number of invalid login attempts is allowed from an IP address. schema: - type: boolean - default: false + type: int + default: 10 + - variable: count + label: count + description: Maximum number of invalid login attempts from an IP address in the time period. + schema: + type: int + default: 10 + - variable: coolofftime + label: coolofftime + description: Additional time in minute that login attempts will be denied once the invalid login limit is reached. + schema: + type: int + default: 30 + - variable: exclude + label: exclude + description: Ranges of IP addresses that are not subject to invalid login limitations. For example 192.168.1.0/24,172.16.0.1 + schema: + type: string + default: "" + - variable: maxInvalid2fa + label: Section + schema: + additional_attrs: true + type: dict + attrs: + - variable: time + label: time + description: Time in minutes over which the a maximum number of invalid 2FA attempts is allowed from an IP address. + schema: + type: int + default: 10 + - variable: count + label: count + description: Maximum number of invalid 2FA attempts from an IP address in the time period. + schema: + type: int + default: 10 + - variable: coolofftime + label: coolofftime + description: Additional time in minute that 2FA attempts will be denied once the invalid login limit is reached. + schema: + type: int + default: 30 + - variable: exclude + label: exclude + description: Ranges of IP addresses that are not subject to invalid 2FA limitations. For example 192.168.1.0/24,172.16.0.1 + schema: + type: string + default: "" - variable: autobackup label: Section schema: @@ -224,6 +291,17 @@ questions: type: string required: true default: "" + - variable: plugins + label: Section + schema: + additional_attrs: true + type: dict + attrs: + - variable: enabled + label: enabled + schema: + type: boolean + default: false - variable: domains label: Section schema: @@ -276,6 +354,30 @@ questions: schema: type: boolean default: true + - variable: mstsc + label: mstsc + description: When enabled, activates the built-in web-based RDP client. + schema: + type: boolean + default: true + - variable: ssh + label: ssh + description: When enabled, activates the built-in web-based SSH client. + schema: + type: boolean + default: true + - variable: novnc + label: novnc + description: When enabled, activates the built-in web-based VNC client. + schema: + type: boolean + default: true + - variable: geoLocation + label: geoLocation + description: Enables the geo-location feature and device location map in the user interface, this feature is not being worked on. + schema: + type: boolean + default: true - variable: nightMode label: nightMode description: 0 = User selects day/night mode, 1 = Always night mode, 2 = Always day mode @@ -294,6 +396,30 @@ questions: max: 2 requited: true default: 2 + - variable: deviceMeshRouterLinks + label: Section + schema: + additional_attrs: true + type: dict + attrs: + - variable: rdp + label: rdp + description: Display a RDP link in the device tab when supported + schema: + type: boolean + default: true + - variable: ssh + label: ssh + description: Display a SSH link in the device tab when supported + schema: + type: boolean + default: true + - variable: scp + label: scp + description: Display a SCP link in the device tab when supported + schema: + type: boolean + default: true - variable: agentCustomization label: Section schema: diff --git a/charts/incubator/meshcentral/templates/_secret.tpl b/charts/incubator/meshcentral/templates/_secret.tpl index 07dc63dcb1c..17b21de5e61 100644 --- a/charts/incubator/meshcentral/templates/_secret.tpl +++ b/charts/incubator/meshcentral/templates/_secret.tpl @@ -2,6 +2,8 @@ {{- define "meshcentral.secret" -}} {{- $secretName := printf "%s-secret" (include "tc.common.names.fullname" .) }} +{{- $secretStorageName := printf "%s-storage-secret" (include "tc.common.names.fullname" .) }} + {{- $config := .Values.meshcentral }} {{- $isScale := false }} @@ -12,7 +14,7 @@ {{- end }} {{- $sessionKey := "" }} -{{- with (lookup "v1" "Secret" .Release.Namespace $secretName) }} +{{- with (lookup "v1" "Secret" .Release.Namespace $secretStorageName) }} {{- $sessionKey = (index .data "session_key") }} {{- else }} {{- $sessionKey = randAlphaNum 32 }} @@ -43,10 +45,25 @@ {{- end }} {{- if $isScale }} - {{- $config = (include "prune.keys.scale" $config) }} + {{- $config = (include "mergeAndrenameDefaultDomain" $config) }} + {{- $config = (include "prune.keys.scale" (fromYaml $config)) }} {{- else }} {{- $config = (include "prune.keys" $config) }} {{- end }} + +--- + +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ $secretStorageName }} + labels: + {{- include "tc.common.labels" . | nindent 4 }} +data: + {{/* Store session_key to reuse */}} + session_key: {{ $sessionKey | b64enc }} + --- apiVersion: v1 @@ -57,9 +74,6 @@ metadata: labels: {{- include "tc.common.labels" . | nindent 4 }} data: - {{/* Store session_key to reuse */}} - session_key: {{ $sessionKey | b64enc }} - trigger_redeploy: {{ randAlpha 5 | b64enc }} {{/* The actual config */}} config.json: | {{- toPrettyJson (fromYaml $config) | b64enc | nindent 4 }} @@ -85,17 +99,8 @@ data: {{/* Prunes int and float equal to -99 */}} {{/* Prunes empty strings (Does not prune empty strings in lists) */}} {{/* Prunes keys that start with _ */}} -{{/* Renames tcdefaultdomain variable to "" as this is the key used by MeshCentral */}} -{{/* but SCALE GUI does not handle it well */}} {{- define "prune.keys.scale" }} {{- $values := . }} - {{- if (hasKey $values "domains") }} - {{- if (hasKey $values.domains "tcdefaultdomain") }} - {{- $defaultDomain := $values.domains.tcdefaultdomain }} - {{- $_ := set $values.domains "" $defaultDomain }} - {{- $_ := unset $values.domains "tcdefaultdomain" }} - {{- end }} - {{- end }} {{- range $k, $v := $values }} {{- if eq (kindOf $v) "string" }} {{- if not $v }} @@ -122,3 +127,14 @@ data: {{- end }} {{- toYaml $values }} {{- end }} + +{{/* Renames tcdefaultdomain variable to "" as this is the key used by MeshCentral */}} +{{/* but SCALE GUI does not handle it well */}} +{{- define "mergeAndrenameDefaultDomain" }} + {{- $values := . }} + {{- $defaultDomain := index $values.domains "" }} + {{- $computedDomain := mergeOverwrite $defaultDomain $values.domains.tcdefaultdomain }} + {{- $_ := set $values.domains "" $computedDomain }} + {{- $_ := unset $values.domains "tcdefaultdomain" }} + {{- toYaml $values }} +{{- end }} diff --git a/charts/incubator/meshcentral/values.yaml b/charts/incubator/meshcentral/values.yaml index c7dbfa74ebd..2480123b0c7 100644 --- a/charts/incubator/meshcentral/values.yaml +++ b/charts/incubator/meshcentral/values.yaml @@ -6,8 +6,6 @@ image: command: - node - meshcentral/meshcentral - - --configfile - - /opt/meshcentral/meshcentral-config/config.json securityContext: readOnlyRootFilesystem: false @@ -17,12 +15,6 @@ podSecurityContext: runAsUser: 0 runAsGroup: 0 -env: - trigger_redeploy: - secretKeyRef: - name: '{{ include "tc.common.names.fullname" . }}-secret' - key: trigger_redeploy - # - Values with the character _ in-front of them are pruned. Add or remove _ to disable or enable options # - More in-depth info for each options can be found here: https://github.com/Ylianst/MeshCentral/blob/master/meshcentral-config-schema.json # - Check for this chart's specific info in our webpage https://truecharts.org @@ -64,7 +56,7 @@ meshcentral: _StrictTransportSecurity: null # - When enabled, the MeshCentral web site can be embedded within another website's iframe. allowFraming: false - # - Options: strict | lax | none + # - Options: strict | lax | none | true _cookieIpCheck: lax # - When enabled, allows use of WebRTC to allow direct network traffic between the agent and browser. webRTC: false @@ -93,7 +85,7 @@ meshcentral: # - Enables server-side, websocket per-message deflate compression. wsCompression: true # - Enables agent-side, websocket per-message deflate compression. wscompression must also be true for this to work. - _agentWsCompression: true + agentWsCompression: true # - Set to 1 to present the server from updating any agent. _noAgentUpdate: 0 # - When set to 2, all agents that need to be updated will use the meshcore.js update system. With the default value of 1, the native update system is used. @@ -209,25 +201,25 @@ meshcentral: _redirects: meshcommander: https://www.meshcommander.com/ # - This section described a policy for how many times an IP address is allowed to attempt to login incorrectly. By default it's 10 times in 10 minutes, but this can be changed here. - _maxInvalidLogin: + maxInvalidLogin: # - Ranges of IP addresses that are not subject to invalid login limitations. For example: 192.168.1.0/24,172.16.0.1 - exclude: null + _exclude: "" # - Time in minutes over which the a maximum number of invalid login attempts is allowed from an IP address. time: 10 # - Maximum number of invalid login attempts from an IP address in the time period. count: 10 # - Additional time in minute that login attempts will be denied once the invalid login limit is reached. - coolofftime: null + coolofftime: 30 # - This section described a policy for how many times an IP address is allowed to attempt to perform two-factor authentication (2FA) incorrectly. By default it's 10 times in 10 minutes, but this can be changed here. - _maxInvalid2fa: + maxInvalid2fa: # - Ranges of IP addresses that are not subject to invalid 2FA limitations. For example: 192.168.1.0/24,172.16.0.1 - exclude: null + _exclude: "" # - Time in minutes over which the a maximum number of invalid 2FA attempts is allowed from an IP address. time: 10 # - Maximum number of invalid 2FA attempts from an IP address in the time period. count: 10 # - Additional time in minute that 2FA attempts will be denied once the invalid login limit is reached. - coolofftime: null + coolofftime: 30 # - When present, this section will enable the Intel AMT provisioning server on the local network. This is used for Intel AMT bare-metal ACM activation. _amtProvisioningServer: # - Port number that provisioning server will listen to. @@ -529,13 +521,13 @@ meshcentral: # - Action taken if one of the lines in meshagent.tag contains ~ServerTags:tag1,tag2,tag3. 0=Ignore, 1=Set, 2=SetIfEmpty, 3=Append. ServerTags: 0 # - Enables the geo-location feature and device location map in the user interface, this feature is not being worked on. - _geoLocation: false + geoLocation: true # - When enabled, activates the built-in web-based VNC client. - _novnc: true + novnc: true # - When enabled, activates the built-in web-based RDP client. - _mstsc: false + mstsc: true # - When enabled, activates the built-in web-based SSH client. - _ssh: false + ssh: true # - Path where to find custom email templates for this domain. _webEmailsPath: null _customUI: null @@ -995,10 +987,8 @@ persistence: readOnly: true defaultMode: "0600" objectName: '{{ include "tc.common.names.fullname" . }}-secret' - mountPath: /opt/meshcentral/meshcentral-config - items: - - key: config.json - path: config.json + mountPath: /opt/meshcentral/meshcentral-data/config.json + subPath: config.json portal: enabled: true